Among other things, those OGS Patches fixes some important security related issues.
Those commercial patches (see below table for exact patch ID) are available on the My Oracle Support site as part of Oracle's Commercial Support for GlassFish.

Oracle GlassFish Server (OGFS) 3.1.2 Patch 5

Closed network / IPS

147902-09 Solaris Sparc

147903-09 Solaris x86

147904-09 Linux

147907-09 Windows

147905-09 AIX

147906-09 Mac

File Based - Java EE

147913-08 Solaris (Sparc & x86), Linux, Mac

147912-08 Windows

147918-08 AIX

File Based - Web Profile

147915-09 Solaris (Sparc & x86), Linux, Mac

147917-08 Windows

147919-09 AIX

Bugs Resolved by This Patch

16474371 312P5 : MORE FAILURE IN ANT EXECUTION

16465543 OSGI-JPA MISSING BUNDLE EXCEPTIONS

16430691 STOP DOMAIN COMMAND WAIT TIME IS HARDCODED

16404527 ASADMIN START-DOMAIN DOES NOT KEEP JVM-OPTIONS ORDER LISTED IN DOMAIN.XML

Wednesday Jan 16, 2013

Oracle GlassFish Server v3.1.2 Patch 4 is a commercial (Restricted) set of patches available as part of Oracle's Commercial Support for GlassFish. Those patches were released on Jan 13 2013. In addition, Patch 20 (file-based only) of GlassFish 2.1.1 was released Jan 14, 2013.

The SJS AS 9.1 U2 Patch 26, GlassFish 2.1 Patch 20, and GlassFish 2.1.1 Patch 14 was a Critical Patch Update and released earlier this month.

Highlights
If your hundreds of thin native clients connecting to SSL/non-SSL IIOP ports to GlassFish is typing up server resources requiring a server restart then this release has fixed the issue for you. The bug 13006882 provide more details about it. An additional TCP port was created when -Dcom.sun.enterprise.admin.server.core.channel.port explicitly specified the port number. A more recent version of Grizzly (1.0.42) is integrated and more details about the bugs fixed until this release are available here. Several issues were back ported from more recent versions such as GLASSFISH-16070 and GLASSFISH-1633. A complete list of bugs fixed in this release is provided at the end.

CommentCommercial (for-fee) release with regular bug fixes.
This is patch 25 for SJS AS 9.1 U2; it is also patch 19 for GlassFish v2.1 and patch 13 for GlassFish v2.1.1.
It contains the fixes from the previous patches plus fixes for 18 unique defects.

Sunday Dec 18, 2011

The GlassFish Server Open Source
Edition provides a full Java EE 6 compliant, free, and an
open source application server.
It is also available in a Web Profile distribution and can be
downloaded from glassfish.org.
The grey box in the diagram below shows functionality in the open
source distribution. It is an easy-to-use (zip installer and
NetBeans/Eclipse/IntelliJ integration), light-weight (downloads
starting at 30MB, small disk/memory footprint), and modular
(OSGi-based, containers start on demand) application server. It also
provides clustering with high availability and centralized
administration using CLI, web-based administration console, and REST
APIs. The open source edition is supported using the GlassFish
Forums and other social
media channels.

The Oracle GlassFish Server
is Oracle's commercially supported GlassFish Server distribution.
The diagram below shows the additional set of features offered in
the commercial edition above and beyond the open source edition. The
Oracle GlassFish Server Control
is a suite of features that improves performance, allows automatic
backup of configuration and application data, enables fine-grained
monitoring, and enables more secure and highly available production
deployments. The customers also get 24 x 7 support all through out
the year, priority for their bug fixes and patches/hot fixes for
them. Indemnification protects you from legal action associated with
the open source software distributed by Oracle. This edition can be
downloaded for evaluation
from OTN but a license is required for production use. Learn
more about how support and sustaining is provided as part of the
commercial distribution here.

In summary, GlassFish Server Open Source Edition has the following
features:

Friday Dec 16, 2011

The patch 1 was a Critical Patch Update (CPU) and released in October 2011. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. The exact patch details and downloads can be found here.

GlassFish 3.1.1 Patch 2 was released on Dec 2, 2011 and it is part of
Oracle's Commercial GlassFish Offering. There are 20 bugfixes in this patch. It integrates newer versions of Grizzly, Jersey, Weld, and HK2. This patch also fixes a bug in Weld that allows weld-numberguess sample to be run successfully again. This patch also drastically improves the deployment times of EAR files with WAR files on Mac. There is also a bugfix that allows EJB-based Web service to now run on domains migrated from 2.x to 3.1.1. The complete list of bugs is given below.

Patch 2 is available as an IPS repository in ZIP format.
To install the upgrade, just unzip that ZIP file and then follow
these instructions.

Release Overview

Description
Patch release for GlassFish 3.1.1.

Release DateDec 2, 2011

Patch IdsAll distributions of this release, including patches, are based on IPS packages. Login to https://support.oracle.com/ with your ID and password, click on the "Patches and Updates" tab and enter the Patch ID as mentioned below.

CommentCommercial (for-fee) release with regular bug fixes.
This is patch 25 for SJS AS 9.1 U2; it is also patch 19 for GlassFish v2.1 and patch 13 for GlassFish v2.1.1.
It contains the fixes from the previous patches plus fixes for 18 unique defects.

CommentCommercial (for-fee) release with regular bug fixes.
This is patch 24 for SJS AS 9.1 U2; it is also patch 18 for GlassFish v2.1 and patch 12 for GlassFish v2.1.1.
It contains the fixes from the previous patches plus fixes for 11 unique defects.

GlassFish 3.0.1 Patch 3 is available as an IPS repository in ZIP format.
To install the upgrade, just unzip that ZIP file and then follow
these instructions.

Release Overview

Description
Patch release in GlassFish 3.x family.

Release DateJun 16, 2011

Patch IdsAll distributions of this release, including patches, are based on IPS packages. Login to https://support.oracle.com/ with your ID and password
Click on the "Patches and Updates" tab and enter the Patch ID as mentioned below.

Comments• Third Patch Release for GlassFish 3.0.1;
since GlassFish 3.0.1 is essentially also a patch release for 3.0, arguably this is the fourth patch release for GlassFish 3.0.
• This patch is required for extending and updating GlassFish Server installations on machines that do not have Internet connectivity.
• Users and customers interested in clustering and state replication should use
GlassFish 3.1.

CommentCommercial (for-fee) release with regular bug fixes.
This is patch 23 for SJS AS 9.1 U2; it is also patch 17 for GlassFish v2.1 and patch 11 for GlassFish v2.1.1.
It contains the fixes from the previous patches plus fixes for 31 unique defects.

CommentCommercial (for-fee) release with regular bug fixes.
This is patch 22 for SJS AS 9.1 U2;
it is also patch 16 for GlassFish v2.1
and patch 10 for GlassFish v2.1.1.
It contains the fixes from the previous patches plus fixes
for 9 unique defects.

StatusCURRENT

Bugs Fixed in this Patch:

•
[7001464] - integrate jdk 1.6.0_22 b04
•
[6888689] - XID throws ArrayIndexOutOfBoundsException when hostname/instance name are too long [IT 8613]
•
[6995209] - When seeing the logs through 'Configurations' link for an instance, default view is on DAS logs.
•
[6995201] -Exception HTTP Status 500 raised for an instance if log file is moved and renamed.
•
[6996761] -Exception HTTP Status 500 raised for two instances if their log files are moved and renamed.
•
[7001806] - Log4J logging to console using ConsoleAppender does not work after SGES211p06
•
[6984103] - Missing persistence-type properties in the quickstart sample for clusterjsp
•
[7001831] - Build and stage new jars for JDK 1.6.0_22-b04 for integrating with patch10 of GF v2.1.1
•
[7001080] - Version changes and Readme updates for p10

GlassFish 3.0.1 Patch 1 was withdrawn due to package information incompatibility. GlassFish 3.0.1 Patch 2 is available as an IPS repository in ZIP format.
To install the upgrade, just unzip that ZIP file and then follow
these instructions.

Release Overview

Description
Patch release in GlassFish 3.x family.

Release DateJanuary 4, 2011

Patch IdsAll distributions of this release, including patches, are based on IPS packages. Login to https://support.oracle.com/ with your ID and password
Click on the "Patches and Updates" tab and enter the Patch ID as mentioned below.

Comments• Second Patch Release for GlassFish 3.0.2;
since GlassFish 3.0.1 is essentially also a patch release for 3.0, arguably this is the third patch release for GlassFish 3.0.
• This patch is required for extending and updating GlassFish Server installations on machines that do not have Internet connectivity.
• Users and customers interested in clustering and state replication should use
GlassFish v2
until these features show up in GlassFish 3.1.

CommentCommercial (for-fee) release with regular bug fixes.
This is patch 21 for SJS AS 9.1 U2;
it is also patch 15 for GlassFish v2.1
and patch 9 for GlassFish v2.1.1.
It contains the fixes from the previous patches plus fixes
for 11 unique defects.

To explain how Oracle's commercial support works, we need to first explain how the open source edition is developed.

The basic release cycle of GlassFish has
Daily,
Weekly,
Milestones
(frequency varies)
and
Final Releases.
Each Milestone is a mini-release cycle,
with its own stabilization phase at the end.

Milestone releases are quite stable, specially towards the end of the cycle,
but they are
not intended for production deployment.
Of course, since those releases are available with an Open Source license and are developed transparently,
you can make your own risk assessment
and go on production with, say, a Release Candidate milestone, but beware that
we can always discover a bad bug before final that may cause significant
changes.
In particular, Oracle only provides formal Sustaining Support for final releases.

Now we can describe the sustaining story for GlassFish.
Oracle branches a source repository from the Final GF Releases and then
we contribute fixes for important bugs with care to guarantee stability.
From there, we create regular sustaining patches that are available to
commercial subscribers (via
SunSolve initially,
soon from
My Oracle Support),
as well as the usual 24x7, worldwide support, knowledge database, etc.

To ensure that the bugs don't reappear, we also propagate the bug fixes in the sustaining
repositories into the public repositories, although the timing and details of this
will vary depending on the cycle,
and, of course, the public repositories also receive many other changes
at the same time, some of which will be new bugs :-(.
(a slightly more detailed description of this is at
Productizing Open Source - The GlassFish Approach).

Finally,
Alexis' Note
also explained how sustaining tests the bug fixes, including longevity testing, to ensure
the bug fixes are very solid.